Security in the WebLogic Portal Administration Tools and the E-Business Control Center

 

In addition to the sample applications, WebLogic Portal also includes some applications that you may use to develop and maintain your e-commerce Web site. Presently, these tools are available in two forms: the browser-based WebLogic Portal Administration Tools and the stand-alone E-Business Control Center.

The WebLogic Portal Administration Tools and the E-Business Control Center (EBCC) are designed for use by the specific individuals within your organization who are authorized to make modifications to your e-business Web site. Thus, both applications require some security protections. The security implemented in these applications are discussed in the following sections:

• Security in the WebLogic Portal Administration Tools

• Security in the E-Business Control Center

 

---

Security in the WebLogic Portal Administration Tools

The purpose of the browser-based WebLogic Portal Administration Tools is to provide administrative users of WebLogic Portal with the ability to manage various aspects of an e-commerce Web application. The WebLogic Portal Administration Tools application includes JSPs for Portal Management, User Management, Catalog Management, Order Management, and Payment Management. Thus, access to these administration JSPs must be granted only to authorized users.

Note: For detailed information about accessing the WebLogic Portal Administration Tools, logging in, or changing the Administrator password, see WebLogic Portal Administration Tools in the WebLogic Portal Architectural Overview.

When users attempt to access the WebLogic Portal Administration Tools, the application invokes basic authentication techniques to present a login screen to the user. An example of a login screen is shown in Figure 5-1.

Figure 5-1 Administration Login Screen

 

Note: With basic authentication, the WebLogic Server instructs the Web client to prompt for a username and password, which the server then uses to authenticate a principal. For more information about authentication and principals, see Users and User Groups as Principals.

When the user submits their username and password to gain access to the WebLogic Portal Administration Tools, the submitted information is passed to the WebLogic Server for verification. The security mechanism in WebLogic Server verifies that the user is part of the SystemAdministrator or DelegatedAdministrator user group and that the user has supplied the correct password. If the user supplies a valid username and password combination, WebLogic Server authenticates the user and grants access to the WebLogic Portal Administration Tools.

Presently, users who have been successfully authenticated by the WebLogic Server and belong to the SystemAdministrator user group have permission to use all the features available in the WebLogic Portal Administration Tools. As such, the WebLogic Portal Administration Tools home page will be presented to these users following authentication (Figure 5-2).

Figure 5-2 WebLogic Portal Administration Tools Home Page

 

Alternatively, users who have been successfully authenticated and belong to the DelegatedAdministrator user group have permission to use the Portal Management features only. Therefore, these users will be presented with the Portal Management home page following authentication (Figure 5-3). Additionally, the Portal Management home page will display only the portals or group portals to which the user has access (depending on whether the DelegatedAdministrator is further defined as a Portal Administrator (PA) or a Group Administrator (GA)). For more information, see Portal Administration and Security.

Figure 5-3 Portal Management Home Page

 

 

---

Security in the E-Business Control Center

The E-Business Control Center (EBCC) is an application available for use with WebLogic Portal. The E-Business Control Center is designed to simplify the tasks that are necessary to create and maintain a truly personalized Web site. To meet this objective, the E-Business Control Center guides both business and technical users through a variety of tasks, ensuring that people in these diverse roles can focus on the aspects of e-business management that are relevant to them.

The E-Business Control Center is similar to the WebLogic Portal Administration Tools in that it allows certain, privileged users to affect the content and behavior of a Web site. However, the similarities end there. The E-Business Control Center:

• Is a stand-alone GUI application (rather than a set of Web-based tools built using JavaServer Pages) that is not started within a Web browser.

• Allows authorized users to edit development-time aspects of a Web site, rather than the administrative (runtime) aspects (which are modified using the WebLogic Portal Administration Tools).

Notes: For information about installing the E-Business Control Center, see Installing the E-Business Control Center in the Installation Guide. For instructions on how to access the E-Business Control Center, see Starting the E-Business Control Center in the Guide to Using the E-Business Control Center documentation.

The E-Business Control Center works against files, so users of this tool can view and modify any files that reside locally on their filesystem. Security is required, however, when the E-Business Control Center communicates with a WebLogic Portal server via servlet calls. Some of these servlets require basic authentication to be performed before they can be accessed because they are protected by standard Web application security mechanisms. Therefore, although the majority of E-Business Control Center functionality does not require users to log in to a running WebLogic Portal server, users are required to log in when viewing or using certain data that causes the protected servlets to be called. Users must log in to the server to:

• Search for or preview ads in various windows.

• Access property sets in various windows.

• Use the Catalog Browser in various windows to select items in a catalog.

• Select and preview e-mail content that will be sent out automatically as part of a promotional campaign.

• Synchronize your application data to the server.

In these cases, a user is first prompted to connect to a server by providing some connection information, which includes the name of the WebLogic Portal server, a username and a password. This information is typically gathered in the Connections Setup window, shown in Figure 5-4.

Figure 5-4 Connection Setup Window

 

Notes: If prompted to login prior to a data synchronization operation, this information is gathered in the Connections tab of the Synchronization Setup window. For details about these windows and the information required to connect, see Connecting to the Server in the Guide to Using the E-Business Control Center documentation.

If you are using the E-Business Control Center to make server-encrypted connections using SSL (Secure Socket Layer), then the information you specify in the Server input field should start with https:// Remember that for SSL connections to work, you must have a valid SSL certificate from a certificate authority set up on your server. For more information about certificates, see Digital Certificates in the Programming WebLogic Server Security documentation.

The username/password combination required for a data synchronization operation (and all other protected operations) is either:

• The system user only (and not all members of the Administrator user group).

• Any user in the SystemAdministrator user group.

Note: The username/password combination is authorized by the WebLogic Server's security mechanisms.

Note: The features available to authorized users of the E-Business Control Center depend on the version of the application present in your organization. Versions of the E-Business Control Center are determined by product license. For more information on application versions, see What the E-Business Control Center Provides in the "Introduction" topic of the Guide to Using the E-Business Control Center documentation.